ClawHub

Memory Poison Auditor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory-auditing tool, but it can send memory excerpts to an external AI service and rewrite memory files, so it needs careful review before installation.

Install only if you are comfortable giving this skill access to long-term memory files. Run scan first, review the report, and use clean --apply only after checking the target path and backups. Do not use --with-ai unless you are willing to send selected memory excerpts and file metadata to the configured external AI provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tainted flow: 'request' from os.environ.get (line 219, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST"
    )
    try:
        with urllib.request.urlopen(request, timeout=45) as response:
            parsed = json.loads(response.read().decode("utf-8"))
        raw_content = "".join(part.get("text", "") for part in parsed.get("content", []) if isinstance(part, dict))
        raw_content = raw_content.strip()
Confidence
98% confidence
Finding
with urllib.request.urlopen(request, timeout=45) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises executable commands that read memory files, rewrite them during cleaning, emit reports/backups to disk, and optionally perform AI review that the analyzer associates with network use, yet it declares no permissions. This creates a transparency and policy-enforcement gap: operators may invoke a skill believing it is low-risk auditing logic when it can also modify sensitive long-term memory and potentially transmit excerpts externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description frames the skill as an auditor, but the documented behavior includes cleaning/rewrite operations, backup creation, report persistence, and optional external AI review. That mismatch is dangerous because users may authorize or trust the skill for passive inspection while it can alter memory state and expose sensitive memory contents to other systems, which is especially risky given the target is a long-term memory store.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is described as auditing memory files, but this function performs external AI API calls and transmits memory excerpts to a third party. That is dangerous because memory stores often contain sensitive prompts, preferences, credentials, or private conversation residue, and the off-box transfer is not inherent to local auditing.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The cleanup routine rewrites scanned files and deletes suspicious blocks, which exceeds a reviewer/auditor role and can destroy user data or remove legitimate content. In a memory-analysis context, automatic modification is especially risky because false positives can silently alter long-term memory state and behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code accepts policy-driven and explicit paths, expands home/workspace variables, resolves them, and recursively scans files. This grants broad filesystem read access beyond a narrowly scoped memory store, which is dangerous because the same auditor can be pointed at unrelated sensitive files and then potentially feed their contents into later processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The AI review path transmits excerpts of scanned memory files to an external service without any visible user-facing notice or consent handling in this code. Because memory files can contain sensitive or hidden instructions, silent sharing materially increases privacy and data-governance risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The cleanup routine removes lines from user files and writes the result back without any visible confirmation or safety interlock. Even with backups, silent destructive edits can corrupt memory stores, erase valid information, and create hard-to-detect behavioral changes in downstream systems.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal